You can’t afford not to read this

(Adapted from a post at Kent University : https://blogs.kent.ac.uk/isnews/you-cant-afford-not-to-read-this/ – but it’s so spot on, I thought I’d share it here)

You are probably likely to get at least one fake email this week. And it might be very convincing. You need to know what clues to look for so that you don’t lose work, personal data such as photos, or put University data at risk.

Good fakes look almost identical to genuine emails, and often appear to be from companies you know, such as:

  • Amazon
  • eBay
  • PayPal
  • phone companies like O2 and Vodafone
  • courier companies like DHL, and UPS
  • travel companies
  • student finance
  • local companies. Remember criminals don’t just copy large companies.

o2-phish-image

Clues to look for

  1. If it says you’ve ordered a service that you haven’t – it’s highly likely to be fake. Delete the email, even if it looks convincing. If you want to double-check, use a browser and find their website. From there you can check your online account or contact them.
  2. If there’s an attached file you weren’t expecting – don’t open or even preview it. Attachments are used to unleash a virus. They know you might be curious enough to want to look and see what it is. Do not look – delete it. Absolutely do not ‘enable content’ or ‘enable macros’.
  3. Check the email address it was sent from. Does it look like the expected sender? Is it readable, or unusual, or sent ‘on behalf of’ another email account? Note that even if it looks like the right sender, hackers can ‘hijack’ genuine email accounts – so look for other clues.
  4. Don’t click on links if you have any doubts. The link text you see on the screen might not match the website address it will go to. If you can, hover your mouse over them and the actual website address will appear. Is it a readable, sensible destination for that company?

If you’re not sure if it is fake or not

  • Contact the organisation outside of the email or go to their website independently. From there you can check your online account or contact them.
  • Never ‘Load remote content’ or ‘download pictures’ if you have any doubts at all.
  • If it is definitely fake, mark it as junk and delete it. Don’t reply, click links, view attachments or view images.

If you think you’ve responded to a fake

If you’ve previewed or opened an attachment which you now realise is fake, or clicked a link, or allowed ‘remote content’ or images to be seen in an email that is likely to be fake:

  • turn the power off your device immediately.
  • if you think your bank details have been compromised, contact your bank immediately.
  • contact the Service Desk (it.servicedesk@ncl.ac.uk or call x85999)

A note about your passwords

  • Never give out your CAMPUS password (or any other password). No reputable organisation will ask you to do this. Newcastle University IT staff do not need your password to perform maintenance on your account, and will never ask you to ‘verify your details’.
  • If you think your password has been compromised, contact the Service Desk, and change your password.
  • Don’t use the same password for more than one account. Just don’t do it.
  • Try and use a unique password with a mixture of letters, numbers and punctuation.

We do block most fake messages that are sent to your University email account, as we have ways of identifying them before they reach your Inbox. But some may still get through to you, unfortunately.

Exchange ActiveSync Stats Update December 2012

Below are the statistics of the types of unique mobile devices have connected to the on-premises and Office365 Exchange servers for email and calendaring.

There have been 9834 unique mobile devices connected between 01/12/2012 and 17/12/2012.  Well over 9000 unique devices connect on any one day.

Of the 9834 devices, 3707 devices belong to staff and research postgraduate students connecting to the on-premises Exchange servers.  6127 devices belong to undergraduate and taught postgraduate students connecting to the Office365 Exchange servers.

Once again, we have seen a significant increase from previous statistics gathered.

Exchange ActiveSync Statistics Update

Every year we try to produce some statistics of the types and number of mobile devices that are connecting to the Exchange servers for email and calendaring.

There have been 7064 unique mobile devices connected between 01/04/2012 and 15/08/2012.

Of the 7064 devices, 4697 belong to students and 2367 to staff.

 

Our Journey to the Cloud (Office 365): Part 2 – Technical Overview

This post outlines the technical steps on the road to implementing our Federated Office 365 with SSO and Exchange Hybrid Deployment. Each of these steps will be expanded upon in subsequent posts.

About Our Environment

Active Directory

Our Active Directory Forest consists of three Domains. An ‘empty’ Forest Root Domain fangorn.ncl.ac.uk (this was best practice when the Forest was created), a resource domain ‘campus.ncl.ac.uk’ which contains all objects used to manage the campus in Newcastle UK. There is also a third domain which is used to manage computer objects at our campus in Malaysia. For the purposes of deploying Office 365 we can ignore this last domain.

Our DNS namespace .ncl.ac.uk runs on a UNIX BIND system and domain controllers for the zones mentioned above have delegated authority for these subdomains. The Forest and all domains are running at Server 2008 R2 Functional level.

Mail

We run a mixture of Exchange 2007 SP2 and Exchange 2010 SP2 and are in the midst of migrating our staff and postgraduate research students to Exchange 2010.  Exchange 2007 remains on SP2 due to an incompatibility with a third-party archiving solution.  All Exchange servers are separated by role (CAS, HUB and MBX) and generally multiple instances for site-based resilience.  The Exchange Client Access infrastructure is fronted by a hardware load balancer.

Office 365 Tenancy Configuration

Configuring the Office 365 tenancy involved running the Office 365 deployment readiness tool and contacting Microsoft in order to have the tenancy located in the appropriate location relative to the number of users (size of the organisation). Another important step at this stage is proof of ‘ownership’.

Active Directory Federation Services Configuration

Federation of the Active Directory means that users can access services in Microsoft Office 365 using the existing Active Directory credentials (user name and password). Just as importantly this means we can use our existing User lifecycle, provision and access configuration tools to manage users using both cloud and on premises services.

The setup of Identity Federation and single sign-on (SSO) for Office 365 requires Active Directory Federation Services (AD FS).

Directory Synchronisation Configuration

The Microsoft Online Services Directory Synchronisation Tool (DirSync) establishes a one way synchronization from the on-premise Active Directory Forest (all domains) to Microsoft Online.

Dirsync is a requirement for running an Exchange Hybrid Deployment and allows global address list (GAL) synchronization from the on premises Microsoft Exchange Server environment to Microsoft Exchange Online.

Exchange Hybrid Deployment Configuration

An Exchange Hybrid Deployment refers to the full-featured deployment of a cross-premises Exchange messaging solution with Office 365 for enterprises and Exchange Online.

The features that an Exchange Hybrid Deployment delivers are:

  • Mail routing between on-premises and cloud-based organisations
  • Mail routing with a shared domain namespace. For example, both on-premises and cloud-based organisations use the University’s standard @newcastle.ac.uk SMTP domain.
  • A unified global address list, also called a “shared address book”
  • Free/busy and calendar sharing between on-premises and cloud-based organisations
  • Centralised control of mail flow. The on-premises organisation can control mail flow for the on-premises and cloud-based organisations.
  • A single Outlook Web App URL for both the on-premises and cloud-based organisations
  • The ability to move existing on-premises mailboxes to the cloud-based organisation
  • Centralised mailbox management using the on-premises Exchange Management Console (EMC)
  • Message tracking, MailTips, and multi-mailbox search between on-premises and cloud-based organisations

Implementation

The team responsible for the implementation of Office 365 is the ISS Infrastructure Systems Group with our very own John Donaldson managing the project. A steering group with student representation provides strategic direction and sign-off.

Our broad testing and implementation strategy are the creation of two test environments followed by production.

POC Environment: A simple proof of concept comprising of a single domain with the minimal infrastructure required for to test the concepts of Federated Office 365 with SSO and Exchange Hybrid Deployment.

Full Test Environment: A fully virtualised environment which mimics (as closely as possible) our production environment. This environment will be maintained in tandem with the production environment and any future changes will be tested here first.

Office 365/ADFS 2.0: Forms AND Integrated Authentication (SSO) based on the user agent string

Background

The ADFS Farm + ADFS Proxy Farm model that we are using for Office 365 requires that the CNAME of the ADFS service has to be the same for both the ADFS proxy server farm and the internal ADFS farm (in our case adfs.ncl.ac.uk). Users ‘inside’ our network need to be directed to the internal farm and external users to the proxy farm.

ADFS supports multiple authentication mechanisms including the ones we are interested in, Windows Integrated Authentication (WIA) and Forms Based Authentication (FBA). It seems however that there is no way to dynamically select which one is used when a request hits the farm based on client properties. Where Office 365 is concerned a farm uses WIA or FBA

The way our network is configured means that we do not have the network model of Internal/DMZ/Internet with the split-brain DNS that the Microsoft documentation seems to expect. Our systems point at a single zone (running on BIND) which is resolves both internal and external requests.  As such, private IP addresses such as that of the internal ADFS Farm can be resolved (but obviously not connected to) from the Internet.

Working with our Network team we were able to get around this by creating a work around in BIND so that anyone on the Internet receives the address of the proxy farm and anyone coming from one of our internal IP ranges receives the address of the ADFS farm.

The problem for us is that only around 70% of our internal clients are domain joined and as such able to take part in SSO using WIA. The other devices may be non-Windows machines, non-domain joined Windows machines and mobile devices. Because they are coming from one of our internal address ranges they are directed to the internal WIA enabled ADFS farm and get a non-user friendly ugly pop-up box requesting authentication.

Authentication Popup

We do not think that this is a good user experience so we sought a solution which would let us provide both authentication methods to internal clients.

Possible solutions

After discussions internally and with Microsoft we were presented with 3 possible ways to deal with this problem.

  1. Our Network team could define every IP range we have and point them at the relevant BIND DNS view. This is obviously an inelegant solution and would not cover all scenarios as many ranges in our environment contain both domain joined and non-domain joined clients. It would however work for wireless guests as they are on specific ranges.
  2.  Microsoft proposed pushing out a HOSTS file to all domain joined clients pointing them at the internal farm. This not a scalable or suitable option in our environment as we have development work going on all over the University and this would essentially remove people’s ability to use the HOSTS file due to it being overwritten by whatever mechanism we would put in place to the job
  3. The third option was suggested by a Microsoft representative on the Office 365 community forums. The ADFS Farm could be configured to read a custom attribute from the browsers User agent string.This value would be parsed server-side and if present the request would be authenticated by WIA. Other requests would be forwarded on to FBA.  This was particularly attractive to us as we already use a custom user agent string value for Shibboleth authentication.

What we lacked was the expertise to implement this solution but thanks to collaboration with our colleagues as well as working with members of the Microsoft TechNet community we were able to implement something that seems to do the job for us. We thought we would share this in the event others are running in to the same problem!

Out of the Box Authentication with ADFS 2.0

The mechanism that is used by default on an ADFS farm or proxy Farm can be toggled in the <localAuthenticationTypes> element of the ADFS web.config

<microsoft.identityServer.web>
 <localAuthenticationTypes>
 <add name="Forms" page="FormsSignIn.aspx" />
 <add name="Integrated" page="auth/integrated/" />
 </localAuthenticationTypes>

For WIA ‘Integrated’ is at the top of the list:

<microsoft.identityServer.web>
 <localAuthenticationTypes>
 <add name="Integrated" page="auth/integrated/" />
 <add name="Forms" page="FormsSignIn.aspx" />
 </localAuthenticationTypes>

Implementing Selective Authentication using the user agent string

Manipulation of the User Agent string on Internet Explorer, Firefox and Chrome

The first thing required is to append the user agent string to browsers. This can be done in Internet explorer using Group Policy

  1. Under User Configuration expand Windows Settings/Internet Explorer Maintenance
  2. Select ‘Connection’
  3. In the right-hand pane, double-click User Agent String.
  4. On the User Agent String tab, select the ‘Customize String To be Appended To User Agent String check box
  5. Type in the string (in our case campus-ncl).

We have this value set in the ‘Default Domain Policy’ though it could be set lower down.

For Firefox and Chrome things have to be done in the application deployment package. Obviously people will have to use a managed version of the product as it’s not exactly a user friendly setup!

In Firefox the prefs.js file requires to extra lines:

user_pref("network.negotiate-auth.trusted-uris", "<ADFS FQDN>");
user_pref("general.useragent.override", ",<actual agent string> <customstring>")

So in our environment:

user_pref("network.negotiate-auth.trusted-uris", "adfs.ncl.ac.uk");
user_pref("general.useragent.override", ",<actual agent string> campus-ncl")

Chrome needs to be run with some extra switches:

--auth-server-whitelist="ADFS FQDN" --user-agent=" <actual agent string> + <customstring>

So in our environment

--auth-server-whitelist="adfs.ncl.ac.uk" --user-agent=" <actual agent string> + campus-ncl"

Disable Extended Protection must be disabled on the ADFS Farm in IIS (for Firefox and Chrome only)

In order to get SSO working with Firefox and Chrome Extended Protection must be disabled on the ADFS Farm in IIS. Lots of information on this feature and the consequences of disabling it can be found with a simple Google search.

ADFS Farm modifications

There are 2 steps required on the ADFS farm.

  1. Enable Forms Based Authentication as the default method.
  2. Modify the FormsSignIn.aspx.cs source code file

To turn on FBA edit the <localAuthenticationTypes> element of the ADFS web.config file and make sure FBA ‘Forms’ is at the top of the list:

<microsoft.identityServer.web>
 <localAuthenticationTypes>
 <add name="Forms" page="FormsSignIn.aspx" />
 <add name="Integrated" page="auth/integrated/" />
 </localAuthenticationTypes>

Next open the FormsSignIn.aspx.cs Source Code File.

The default out of the box, the code looks like this:

using System;

using Microsoft.IdentityServer.Web;
using Microsoft.IdentityServer.Web.UI;

public partial class FormsSignIn : FormsLoginPage
{
 protected void Page_Load( object sender, EventArgs e )
 {
 }
…

We need to add some code to the Page_Load event which will forward the request to integrated authentication if the campus-ncl user agent string is present. In order to do this we had to add System.Web to the namespace list.

using System;
using System.Web;
using Microsoft.IdentityServer.Web;
using Microsoft.IdentityServer.Web.UI;

System.Web supplies the classes that enable browser-server communication which are needed to get the user agent string and the query string generated by Microsoft Online Services.

protected void Page_Load( object sender, EventArgs e )
 {
 //Get the raw query String generated by Office 365
 int pos = Request.RawUrl.IndexOf('?');
 int len = Request.RawUrl.Length;
 string rawq = Request.RawUrl.Substring(pos + 1, len - pos - 1);

 //Convert query string (qs) to a string
 string qs = HttpUtility.ParseQueryString(rawq).ToString();

 //Get the user agent value
 string uagent = Request.UserAgent;

 //Check if the string campus-ncl appears in the User Agent
 //If it is there forward to WIA along with the Query String

 if(uagent.IndexOf("campus-ncl") > -1)
 {
 Response.Redirect("/adfs/ls/auth/integrated/?" + qs, true);
 }
 else
 {
 //Carry on and do Forms Based Authentication
 }
 }

And that’s it! Anyone using a managed browser with the custom string will be forwarded for WIA and get the SSO experience and all others will get FBA.

Things to note

  1. This method is not officially supported by Microsoft and there are potential issues around future ADFS upgrades (there is no guarantee that the same configuration will be in future versions of ADFS). We are also developing the fall back plan of pointing different clients and the different farms in DNS in case it is needed.
  2. There may very well be a better way to do this! If you find one please let us know 🙂

Special mention

Although we knew what we wanted to do we were having trouble getting the query string and putting it in a usable form (I’m not a programmer!) This information was provided by another TechNet forum member

 

Our Journey to the Cloud (Office 365): Part 1 – Introduction

Newcastle University has made the decision to move some of its Student email services to the cloud using Microsoft’s Office 365 platform.  We have decided to share our journey as we go through it explaining the reasons why along with detailed technical information which we hope may be of use to other institutions.

Introduction

The University’s current undergraduate (UG) and postgraduate taught (PGT) student Email hosting service resides upon a mature ISS hosted Exchange 2007 platform that is four years old. The hosting hardware will reach end of life during 2012. ISS planned to review student Email hosting options as this hardware approached end of life with a view of comparing an internally provisioned replacement service against a Cloud based solution or the “no provision” option.

The University’s current Email hosting provision is split into two services, one for UG/PGT and the other for staff/PGR. The UG/PGT service serves over 30,000 student mailboxes with an overlapping group of graduating students where mailboxes are retained for a period of time post-graduation. The current staff Email hosting platform serves around 10,000 staff and postgraduate research (PGR)   mailboxes. Both staff and student hosting platforms are inter-linked using Microsoft Active Directory which permits a seamless integration of calendaring, address list and message tracking functionality.

The Email hosting platform for UG/PGT resides upon six servers and six directly attached disc arrays (each with 12 mirrored hard discs). The servers are deployed in an active/passive configuration between two data-centres (that is although data is replicated between the two data-centres, only servers in one data-centre provide service to students at any one time). Student access to the service is via Outlook Web Access and personal mobile devices only. UG/PGT students have a quota of 200MB, although they cannot send Email when a 150MB limit is reached.

Choices

We believed there were three alternatives for UG/PGT Email hosting provision: in-house; outsourced to the Cloud; no provision.

In-house Provision

ISS estimate that the non-staff cost of replacing the current UG/PGT hardware platform in 2012 will require a capital investment of £160K with a recurrent element of £5K pa. The electrical usage and carbon impact of in-house provision is estimated to be 68,000 KWh and 36,500 Kg of CO2 pa. In addition to this, staff costs must be taken in to account.

Cloud Provision

Both Microsoft and Google provide their respective services to education establishments free at the point of use Other cloud-based options are available, generally with different services levels, but at a financial cost to the institution.

No Provision

The final alternative is that the University does not provide any Email hosting facilities to UG/PGT students. Given nearly all students arrive at the University with an existing personal Email account (e.g. Yahoo, Gmail, and Hotmail), does the University need to provide another Email account for UG/PGT students to monitor and use? To ease communications between staff and students, the University could provide a forwarding service whereby a @ncl.ac.uk Email address is available for each student that simply forwards to their personal Email account, such forwarding addresses made available in the University’s global address list.

Microsoft vs Google

Microsoft’s current Cloud service in the education arena is branded as “Live@Edu”; Microsoft plan to upgrade and re-brand the offering as “Office 365 for Education” early in 2012. Given the timescales only the “Office 365 for Education” offering will be discussed. It offers (to students):

  • Online version of Microsoft Exchange 2010;
  • 25GB Email quota
  • Office Web Apps (online versions of Microsoft Word, Excel, PowerPoint and OneNote);
  • Instant messaging/video conferencing via Lync Online;
  • Collaborative web sites via SharePoint Online;
  • Linkage with the University’s Active Directory infrastructure to permit calendaring and address list integration between the University’s staff/PGR Email infrastructure and Office 365 for Education;
  • Secure use of University authentication system (students will use their Campus password);
  • Use post-graduation facilitating alumni communications.

Google

The Google Cloud service in the education arena is branded “Google Apps for Education”. It offers:

  • Online version of Gmail;
  • 25GB Email quota and 1GB of storage for Google Docs;
  • Google Docs (online word processor, spread sheet and drawing packages);
  • Instant messaging via Google Talk;
  • Collaborative web sites via Google Sites;
  • Secure use of University authentication system (students will use their Campus password);
  • Use post-graduation facilitating alumni communications.

The Decision

Both Microsoft and Google provide similar functional offerings. The primary differentiators between the offerings are the integration with the University’s infrastructure and, from a student experience perspective, the familiarity of the Online Office applications compared to those currently deployed on student cluster desktops.

Following consultation with student representatives and the University Teaching, Learning and Student Experience Committee, Strategic Information Systems Group agreed to proceed with a project based upon Microsoft Office 365.

NEXT: Our Journey to the Cloud (Office 365): Part 2 – Technical Overview

Exchange Activesync Statistics Update

Activesync Logo

It has been about a year since I last published some statistics on the different mobile devices that are connecting to the Exchange servers for email/calendaring. Those statistics can be found here.

There have been 5161 unique mobile devices that have accessed the Exchange service in the month from 09/05/11 to 08/06/11.

Stats May 11

As you can see there has been a huge increase in the number of mobile devices accessing the Exchange service and can surely be seen as an indication towards the reliance on mobile technology as a way of accessing University services.

A surprising statistic is that 4299 of the 5161 have used the service within the last 24 hours!

The dangers of using the bin to store things you want to keep

When you build IT systems and you put limitations on how they are intended to be used, it goes without saying that people will try to find ways of getting round those limitations. We’ve always been fairly liberal about what users can do with our systems, but there are some times that we have to put limits in place. For example, we don’t have an unlimited amount of disk space, so we have to put quotas on storage capacity for each user’s email and files.

It turns out that some people try to work around these quotas by deleting email messages or files that they want to keep and take advantage of Exchange’s Recover Deleted Items feature and the shadow copies of home folders on file servers (seen as Previous Versions in Windows Explorer). Some people may get away with working like that for some time, simply recovering the content during the retention period and then deleting it again so that it doesn’t impact their quota.

As a way of working that’s about as safe as storing your important paperwork in the bin and hoping that you’re always there to take it out before the cleaner comes along to empty it. From time to time, routine maintenance on the file servers will result in shadow copies being lost – it’s not that we’re being careless with them; that’s just the way it works. If your mailbox has to be moved from one Exchange mailbox store to another, you’ll lose the ability to recover your deleted items. We try to keep these instances to a minimum because those features are useful for quickly recovering when accidents do happen, but sometimes they are necessary in the course of keeping the systems running as reliably as possible.

Throwing things away and then hoping that the bin doesn’t get emptied is not a solution. If there are legitimate reasons why your quota isn’t big enough, then there are better ways to work. We have a system for requesting increases to home folder quotas and a Home Archive Service for infrequently accessed data (and other solutions for even bigger data requirements, such as large sets of research data), and we have an Exchange Archiving System to store larger amounts of old mail. If none of those meet the specific need, then we’re happy to help to find a solution that works.

The Magic of CTRL-K

We often get grumbles about how Outlook seems to make a poor fist of finding names in the Global Address List (GAL) when using the Address Book feature of Exchange. Unless you click the Advanced Find link from within the Address Book, the pattern matching for names is from left to right, based on the Display Name of the Active Directory Account. Also note the More Columns option. This allows the search to take place across all Active Directory fields.

Address Book GAL Search:

Advanced Find based on Last Name:

Results based on Advance Find:

To speed up this process you can use the handy keyboard shortcut of CTRL + K. It is a shortcut for the Check Names icon that can be found on the Outlook toolbar. You can type a variety of search terms based on the user’s personal information recorded in their Active Directory Account

For example, you can type: First Name, Last Name, Display Name, Email Address, Department amongst many other fields.

Results:

The name resolution really comes into it’s own when combining search terms. You can type a first name + a department and the system will try to marry those two terms and provide a best guess. In the example below, I asked Outlook to search for “John” and “ISS”. Outlook provided me with results that contain those two terms in any of the available fields.

It is important to note that you still have to verify that the results are correct and not to take for granted that the recipient that you have selected is accurate. As we have so many staff and students, there are quite a few people with the same name. If you use the scroll bar in the results window, you can see which department that the persons returned belong to.

Outlook, text formatting and signatures

Summary: appending three spaces to the end of each line of a text block (eg a signature block) in a plain text message will stop Outlook from joining lines and messing up your formatting.

Long version…

For a while now we’ve had niggling issues with formatting of plain text email signatures in Outlook.
Problem was that a signature sent as

--
Paul Haldane
Infrastructure Systems
Information Systems and Services, Newcastle University
Claremont Tower
Claremont Road
Newcastle upon Tyne
NE1 7RU

Would be displayed (by default) in Outlook as

--
Paul Haldane
Infrastructure Systems
Information Systems and Services, Newcastle University Claremont Tower Claremont Road Newcastle upon Tyne
NE1 7RU

I don’t understand why the last line isn’t joined on to the penultimate line but I assume that it’s another feature of Outlook’s rendering algorithm.

NB That’s not my real email sig – the one that I use is

--
Paul Haldane
Manager, Infrastructure Systems
Information Systems and Services
Newcastle University

The example I’ve used at the top has characteristics which lead to the problem appearing while my real sig doesn’t (which had been one of the puzzling factors during the investigation).

The correct rendering can be shown by the recipient selecting “restore line breaks” when looking at a message or un-ticking “Remove extra line breaks in plain text messages” (Options->Preferences->E-mail options). Even if we decided that changing the default setting for University managed machines to not remove extra line breaks was a good idea, we obviously can’t control the settings for external recipients.

One of the reasons that this issue was hard to track down was that not all sigs demonstrated the problem. Mine didn’t; our director’s did and our VC’s did (which is one of the things that gave the issue visibility).

Comparing the original versions of the three I guessed that the common factor might be line length. Both of the problem sigs had longer lines than mine – split was somewhere between 38 and 44 characters. More testing …

INPUT

o three four five EOL
0000 xxxx 1111 XXXX 2222 xxxx 3333 XXXX 4
One two three four five EOL

40

One two three four five EOL
0000 xxxx 1111 XXXX 2222 xxxx 3333 XXXXx
One two three four five EOL

39

One two three four five EOL
0000 xxxx 1111 XXXX 2222 xxxx 3333 XXXX
One two three four five EOL

OUTPUT

41

One two three four five EOL
0000 xxxx 1111 XXXX 2222 xxxx 3333 XXXX 4 One two three four five EOL

40

One two three four five EOL
0000 xxxx 1111 XXXX 2222 xxxx 3333 XXXXx One two three four five EOL

39

One two three four five EOL
0000 xxxx 1111 XXXX 2222 xxxx 3333 XXXX
One two three four five EOL

So the breakpoint is 40. Lines after that are joined.

One unexplained fact was that the longest line in the VC’s sig was

Vice-Chancellor: Newcastle University

Which if you count is only 37 characters. However previous attempts to fix the problem by appending spaces to the end of the line (see below) meant that the line had two non-breaking spaces and a space at the end bringing the length to 40. (Non-breaking spaces can be explicitly inserted by typing control-shift-space in Outlook’s message editor but there might be some cleverness going on that converts three adjacent spaces to a mixture of non-breaking and real.)

Tests and investigation had got us a reasonable model for when the problem would happen (and an explanation for why I didn’t see it with my sig). We didn’t yet have a solution.

Internet folklore suggests that adding three spaces to the end of each line (or two spaces at the start; or a tab at the end – opinions vary as to which is the most consistent) will result in messages being rendered in Outlook as intended.
I tried appending three spaces to each non-empty line in the input. This gave the desired behaviour; lines were rendered correctly by the recipient’s instance of Outlook (no matter what their setting for removing extra line breaks was).

I was just looking back through my open tabs to put in some references to the Internet folklore that I’ve mentioned and spotted a very informative post that I must have consistently skimmed over.
On
http://stackoverflow.com/questions/136052/how-do-i-format-a-string-in-an-email-so-outlook-will-print-the-line-breaks mtruesdell says the following …

Every message starts with continuation off.
Lines less than 40 characters long do not trigger continuation, but if continuation is on, they will have their line breaks removed.
Lines 40 characters or longer turn continuation on. It remains on until an event occurs to turn it off.
Lines that end with a period, question mark, exclamation point or colon turn continuation off. (Outlook assumes it’s the end of a sentence?)
Lines that turn continuation off will start with a line break, but will turn continuation back on if they are longer than 40 characters.
Lines that start or end with a tab turn continuation off.
Lines that start with 2 or more spaces turn continuation off.
Lines that end with 3 or more spaces turn continuation off.

This is from testing against Outlook 2007 – he’s obviously got more patience than me. It would be so much easier if Microsoft published the algorithm that Outlook uses – at the moment there’s nothing to say that this behaviour won’t change in future versions.